Discussion

Either separately or together, these features
let you customize your PowerShell environment across your entire
domain.

Apply PowerShell’s Group Policy templates

The administrative templates for Windows PowerShell let you
override the machine’s local execution policy preference at both the
machine and per-user level. To obtain the PowerShell administrative templates, visit
this site and
search for “Administrative templates for Windows PowerShell.”

Note

Although Group Policy settings override local preferences,
PowerShell’s execution policy should not be considered a security
measure that protects the system from the user. It is a security
measure that helps prevent untrusted scripts from running on the
system. As mentioned in Enable Scripting Through an Execution Policy, PowerShell is only a vehicle
that allows users to do what they already have the Windows
permissions to do.

Once you install the administrative templates for Windows
PowerShell, launch the Group Policy Object Editor MMC snap-in.
Right-click Administrative Templates, and then select Add/Remove
Administrative Templates. You will find the administrative template in
the installation location you chose when you installed the
administrative templates for Windows PowerShell. Once added, the Group
Policy Editor MMC snap-in provides PowerShell as an option under its
Administrative Templates node, as shown in Figure 18-2.

Figure 18-2. PowerShell Group Policy configuration

The default state is Not Configured. In this state, PowerShell
takes its execution policy from the machine’s local preference (as
described in Enable Scripting Through an Execution Policy). If you change the state to one of the
Enabled options (or Disabled), PowerShell uses this configuration
instead of the machine’s local preference.

Note

PowerShell respects these Group Policy settings no matter
what. This includes settings that the machine’s administrator may
consider to reduce
security—such as an Unrestricted group policy overriding an
AllSigned local preference.

Deploy Microsoft Certificate Services

Although outside the scope of this book, Microsoft Certificate
Services lets you automatically deploy code-signing certificates to
any or all domain users. This provides a significant benefit, as it
helps protect users from accidental or malicious script tampering.

For an introduction to this topic, visit this site and search for
“Enterprise Design for Certificate Services.” For more information
about script signing, see Sign a PowerShell Script, Module, or Formatting File.